VPN pass through and the Self Zone and NAT

Answered Question
Sep 5th, 2008

Hi

If we have a router running zone based firewall and doing NAT but the VPN terminates on a ASA on teh inside zone do we need to consider the incoming client VPNs as being destined for the "self" zone if we are using NAT overloading through the outside interface of the router ?

I have this problem too.
0 votes

No

The rules are below:

* Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.

* The self zone controls traffic sent to the router itself or originated by the router.

* Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)

* To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.

* To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.

HTH>

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

No

The rules are below:

* Whenever you filter traffic transiting the router, you control it with a zone-pair specifying an inside and an ouside zone.

* The self zone controls traffic sent to the router itself or originated by the router.

* Unless you specify a zone-pair combining self zone with another zone, all traffic from that zone sent to the router itself is allowed (the router is not protected)

* To control traffic that the router can send into a zone use a zone-pair from self to another zone. Use inspect in the service-policy to allow the return traffic.

* To filter the traffic that the router can accept, use a zone-pair from another zone to self. Only the packets accepted by this zone-pair's service-policy will be accepted by the router.

HTH>

Actions

This Discussion